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[ADVANCED MAC OS X PHYSICAL MEMORY ANALYSIS] 

In 2008 and 2009, companies and governments (e.g. Law Enforcement agencies) interests for Microsoft Windows 
physical memory grew significantly. Now it is time to talk about Mac OS X. This paper will introduce basis of Mac 
OS X Kernel Internals regarding management of processes, threads, files, system calls, kernel extensions and more. 
Moreover, we are going to details how to initialize and perform a virtual to physical translation under an x86 Mac 
OS X environment. 



Advanced Mac OS X Physical Memory Analysis 



Introduction 

In 2008 and 2009, companies and governments (e.g. Law Enforcement agencies) interests for Microsoft Windows 
physical memory grew significantly. Now it is time to talk about Mac OS X. This paper introduces Mac OS X Kernel 
Internals regarding management of processes, threads, files, system calls, kernel extensions and more. We provide 
details on how to initialize and perform a virtual to physical translation under a x86 Mac OS X environment. 

Physical Memory is widely known in the UNIX world as /dev/mem. 

Memory Address Translation 
Quick Translation Formula 

Most Operating Systems have a way to compute the kernel physical address even if you do not have the cr3 
register value which is used as Directory Table Base for virtual to physical address translation. If you want to have 
more detailed information on this, please refer to Intel64 and IA-32 Architectures Software Developer's Manuel: 
Volume 3A System Programming Guide . 1 

By kernel physical addresses, I mean the kernel image ( DATA & CODE sections) physical address. Both 

contain important information and variables we need. For instance, to reconstruct the kernel address space we 
need to be able to use Smart Translation Formula which requires variables we can retrieve using Quick Translation 

Formula. As I said above, with Quick Translation Formula we can only access to DATA and CODE sections of 

the kernel image and not to allocated buffers. 

Here is a summary of some operating systems with their corresponding formula to translate from Kernel Virtual 
Address (KVA) to Kernel Physical Address (KPA). 



Operating System 


Quick translation formula 


x86 Linux 


KPA = KVA - OxCOOOOOOO 


PlayStation 3 Linux 


KPA = KVA - 0XC000000000000000 


x86 Windows 


KPA = KVA & OxlFFFFOOO 


Mac OS X 


KPA = KVA 



As you can see the formula for Mac OS X, is the easiest existing formula. 

Smart Translation Formula 

Using Quick Translation Formula, we can retrieve variables from DATA section and initialized by 

slave_pstart () function of Mac OS X Kernel, which is called during the Operating System initialization. 
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There are ~4 variables which are interesting to perform the Smart Translation Formula: IdlePDPT, 
IdlePDPT64, IdlePML4 and IdlePTD. 

IdlePML4 variable is initialized even on 32-bits Operating System. PML4 stands for Page Map Level 4 paging 
structure. This method can be used to address up to 2 A 27 pages, which spans a linear address space of 2 A 48 bytes. 

Then, using IdlePML4 variable we can cover a translation mechanism for a linear address space of 2 A 48 bytes 
even if the processor cannot do it. Internally, in kernel structures, Mac OS X is using 64-bits addressing for memory 
objects. 

These variable are used later to initialize kernel map and kernel pmap kernel structures/variables. 
Here is a common output of these variables under Mac OS X Leopard. 
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* IdlePDPT64: 
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* IdlePTD: 
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Symbols 

Symbols are a key element of volatile memory forensics without them an advanced analysis is impossible. Symbols 
of Microsoft Windows are available on a remote server as standalone files, but on Mac OS X symbols are directly 
stored inside the executable in a segment/section called LINKEDIT. 
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The easiest way to retrieve kernel symbols is to extract them from the kernel executable of the hard-drive. 



Symbols are firstly used to retrieve the address of memory variable for Smart Translation Formula. 
Fat Header 

Mac OS X file format follows the FAT file format which contains magic signature of the header and the number of 
different architectures entries (i386, PowerPC or Both) inside the executable in big endian. 

#define FAT_MAGIC OxBEBAFECA 

typedef struct _FAT_HEADER 
{ 

ULONG magic; 
ULONG nfat_arch; 
} FAT_HEADER, * PFAT_HEADER; 

To jump to the first architecture entry we add sizeof (FAT HEADER) bytes to the pointer of the file header. 
Earch entry uses the following definition, and also uses the big endian endianess. 

typedef struct _FAT_ARCH 
{ 

cpu_type_t cputype; 
cpu_subtype_t cpusubtype; 
ULONG offset; 
ULONG size; 
ULONG align; 
} FAT_ARCH, *PFAT_ARCH; 

The first field, cpu type, indicates to the loader what kind of architecture this entry defines using the following 
description: 

typedef enum 
{ 

CPU_TYPE_VAX = 1, 
CPU_TYPE_ROMP = 2, 
CPU_TYPE_NS32032 = 4, 
CPU_TYPE_NS32332 = 5, 
CPU_TYPE_MC68 0xO = 6, 
CPU_TYPE_I386 = 7, 
CPU_TYPE_MIPS = 8, 
CPU_TYPE_NS32532 = 9, 
CPU_TYPE_MC98000 = 10, 
CPU_TYPE_HPPA = 11, 
CPU_TYPE_ARM = 12, 
CPU_TYPE_MC88000 = 13, 
CPU_TYPE_SPARC = 14, 
CPU_TYPE_I8 60 = 15, 
CPU_TYPE_ALPHA = 16, 
CPU_TYPE_POWERPC = 18, 
/* APPLE LOCAL 64-bit */ 

CPU_TYPE_POWERPC_64 = (18 | CPU_I S 64BIT ) , 
/* APPLE LOCAL x86_64 */ 

CPU_TYPE_X8 6_64 = (CPU_TYPE_I38 6 | CPU_IS64BIT) 
} cpu_type_t; 

I Symbols | NFI 



And the third field, offset, contains the raw offset of the architecture header. 

We assume index x is the id of the CPU_TYPE_I386 architecture. So we have FAT_ARCH[x] .cputype 
equals to CPU_TYPE_I38 6 and FAT_ARCH[x] .offset as new pointer offset to the MACH_HEADER 
structure. 

Mach Header 

Now we have a pointer the i386 architecture binary using the following header definition and little-endian 
endianess. 

#define MH_MAGIC Oxfeedface 

typedef struct _MACH_HEADER 
{ 

ULONG Magic; 
cpu_type_t cputype; 
cpu_subtype_t cpusubtype; 
ULONG filetype; 
ULONG ncmds; 
ULONG sizeofcmds; 
ULONG flags; 
} MACH_HEADER, * PMACH_HEADER; 

This architecture validity can be verified using the Oxfeedface magic key. 

Now we can read what Apple calls commands, the field MACH HEADER. ncmds indicates the number of 
commands inside the Mach-0 binary. 

We have to add sizeof (MACH HEADER) to the Mach-0 header pointer to have a pointer to the first command 
entry. There are different commands types and size of commands depends of their type. Most important 
commands types are LC SEGMENT and LC SYMTAB. 

#define LC_SEGMENT 0x1 /* file segment to be mapped */ 

#define LC_SYMTAB 0x2 /* link-edit stab symbol table info (obsolete) */ 

And very two first fields contains information about the command's type and its size, using the following 
scheme: 

typedef struct _LOAD_COMMAND { 

ULONG cmd; /* type of load command */ 

ULONG cmdsize; /* total size of command in bytes */ 

} LOAD_COMMAND, * PLOAD_COMMAND ; 

Command type called LC SYMTAB, contains raw pointers to two different tables. One, called symof f, with 
NLIST structures-based entries, and another, called stroff, with functions and variables names of each 
corresponding entry in the same order. 

typedef struct _SYMTAB_COMMAND 
{ 

ULONG cmd; 
ULONG cmdsize; 
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ULONG symoff; 
ULONG nsyms; 
ULONG stroff; 
ULONG strsize; 
} SYMTAB_COMMAND, *PSYMTAB_COMMAND; 

typedef struct _NLIST 
{ 

ULONG n_strx; 
UCHAR n_type; 
UCHAR n_sect; 
USHORT n_desc; 
ULONG n_value; 
} NLIST, *PNLIST; 

Both symoff and stroff are pointer into the LINKEDIT segment. Please note we have to add 

FAT ARCH [x] . of f set value to these fields. And n value field from NLIST structure contains the symbol 
offset. 

Here is a short dump of symbols retrieved from Mac OS X Leopard kernel. 
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IS 64BIT PROCESS 


0x00373952 


[000225] 


_IdlePDPT 


0x004EB008 
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_IdlePDPT64 


0x004EB010 
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_IdlePML4 


0x004EB00C 
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_IdlePTD 
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0x0043008E 
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ZN5IOCPUllsetPropertyEPK80SSymbolP80SObject 


0x0042FE68 



[ . . ] 
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[013859] _zt_ent_zindex 0x00299028 

[013860] _zt_f ind_zname 0x00298D6D 

[013861] _zt_getNextZone 0x0029910E 

[013862] _zt_get_zmcast 0x00298FlD 

[013863] _zt_remove_zones 0x00298CDD 

[013864] _zt_set_zmap 0x002990B6 
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Once memory manager is functional, we can now proceed to the extraction of information such as process list and 
so on. 

Machine Information 

Machine identification is a very important part to validate result. This section covers how to retrieve Darwin 
version, compilation date, number of CPUs and available memory on the current system. 

There is a global variable, accessible from symbols, called version which contains a 100 bytes string with O.S. 
Type, O.S. Release version, username who compiled it. 

There is another global variable, accessible from symbols, called machine inf o defined by machine inf o 
structure which contains information about CPUs and Memory of the target machine. 

Definition of machine inf o structure can be retrieved in xnu/osfmk/mach/machine.h header file. 

Below is the definition of machine inf o structure under Mac OS X Snow Leopard. 

struct machine info { 

integer t major version; /* kernel major version id */ 

integer t minor version; /* kernel minor version id */ 

integer t max cpus; /* max number of CPUs possible */ 

uint32 t memory size; /* size of memory in bytes, capped at 2 GB */ 

uint64 t max mem; /* actual size of physical memory */ 

uint32 t physical cpu; /* number of physical CPUs now available */ 

integer t physical cpu max; /* max number of physical CPUs possible */ 

uint32 t logical cpu; /* number of logical cpu now available */ 

integer t logical cpu max; /* max number of physical CPUs possible */ 



'arwin Kernel Version ?,0,0: 


I me Oct ? 21:3S-.SS PDT 2007; root : *n«- 1 228 /RELEASE 1386 


lajor version: 


9 


.in ill* Win-:; Mill : 


H 


lax riuFiber of CPUs: 


4 


i"ze of physical menoi'if- 


10.24 HB 


lunbei* of physical CPUs; 


0i 


kraboi" of logical CPU;;: 


1 



Above is a screenshot of extraction information showing the target machine is running Mac OS X Leopard 10.5.0 
with 1GB of physical memory. 
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Mounted file systems are defined by a global list-head, accessible from symbols, called mountlist. mountlist 
is a single link-list and contains a pointer called next which is a pointer to the next mounted file system entry both 
are defined by mount structure. 



This structure contains 3 important fields including: file system type (f_f stypename), directory on which 
mounted (f mntonname) and mounted file system (f mntf romname). 

Definition of mount structure can be retrieved in xnu/bsd/sys/mount internal.h header file. 

Below is the definition of mount structure under Mac OS X Snow Leopard. 

/* 

* Structure per mounted file system. Each mounted file system has an 

* array of operations and an instance record. The file systems are 

* put on a doubly linked list. 

V 



struct mount { 

TAILQ_ENTRY (mount) mnt_list; 
int32 t mnt count; 

lck mtx t mnt mlock; 



struct vfsops 
struct vfstable 
struct vnode 
struct vnodelst 
struct vnodelst 
struct vnodelst 
uint32 t 
uint32_t 
uint32 t 
uint32 t 

struct vfsstatfs 
qaddr_t 



/* mount list */ 
/* reference on the mount */ 
mutex that protects mount point */ 
/* operations on fs */ 
/* configuration info */ 



*mnt_op; 
*mnt vtable; 
*mnt vnodecovered; / * vnode we mounted on */ 



/* list of vnodes this mount */ 
/* list of vnodes this mount */ 
/* list of vnodes this mount */ 
/* flags */ 

/* kernel only flags */ 
/* mount life cycle flags */ 
mnt maxsymlinklen; / * max size of short symlink */ 
mnt_vfsstat; /* cache of filesystem stats */ 

mnt_data; /* private data */ 



mnt vnodelist; 
mnt workerqueue; 
mnt newvnodes; 
mnt flag; 
mnt kern flag; 
mnt lflag; 



/* Cached values of the 10 constraints for the device */ 



uint32 t 
uint32 t 
uint32_t 
uint32 t 
uint32_t 
uint32 t 
uint32 t 

via DMA */ 

uint32 t 
uint32_t 

device can accept 
uint32 t 



mnt maxreadcnt; 
mnt maxwritecnt; 
mnt segreadcnt; 
mnt segwritecnt; 



/* Max. byte count for read */ 
/* Max. byte count for write */ 
/* Max. segment count for read */ 
/* Max. segment count for write */ 
mnt maxsegreadsize; /* Max. segment read size */ 
mnt maxsegwritesize; /* Max. segment write size */ 
mnt alignmentmask; /* Mask of bits that aren't addressable 



the underlying device block size */ 
' the maxiumum number of commands a 



mnt_devblocksize; /* 
mnt ioqueue_depth; / i 

*/ 

mnt ioscale; /* scale the various throttles/limits imposed 



on the amount of I/O in flight */ 



uint32 t 



mnt ioflags; 



/* flags for underlying device */ 



pending io t mnt pending_write size; /* byte count of pending writes */ 
pending io t mnt pending read size; /* byte count of pending reads */ 



lck rw t mnt rwlock; /* mutex readwrite lock */ 

lck mtx t mnt renamelock; /* mutex that serializes renames that change 
shape of tree */ 

vnode t mnt devvp; /* the device mounted on for local file systems */ 
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uint32 t mnt devbsdunit; /* the BSD unit number of the device */ 

void *mnt throttle info; /* used by the throttle code */ 

int32 t mnt crossref; /* refernces to cover lookups crossing into mp 

*/ 

int32 tmnt iterref; /* refernces to cover iterations; drained makes it 
-ve * / 

/* XXX 3762912 hack to support HFS filesystem 'owner' */ 
uid t mnt fsowner; 

gid_t mnt fsgroup; 

struct label *mnt mnt label; /* MAC mount label */ 

struct label *mnt_f slabel ; /* MAC default fs label */ 

/* 

* cache the rootvp of the last mount point 

* in the chain in the mount struct pointed 

* to by the vnode sitting in ' / ' 

* this cache is used to shortcircuit the 

* mount chain traversal and allows us 

* to traverse to the true underlying rootvp 

* in 1 easy step inside of 'cache lookup path' 

* make sure to validate against the cached vid 

* in case the rootvp gets stolen away since 

* we don't take an explicit long term reference 

* on it when we mount it 
*/ 

vnode t mnt realrootvp; 

uint32 t mnt realrootvp vid; 

/* 

* bumped each time a mount or unmount 

* occurs... its used to invalidate 

* 'mnt realrootvp' from the cache 
*/ 

uint32 t mnt generation; 

/* 

* if ' MNTK_AUTH_CACHE_TIMEOUT ' is 

* set, then 'mnt authcache ttl ' is 

* the time-to-live for the per-vnode authentication cache 

* on this mount... if zero, no cache is maintained... 

* if ' MNTK_AUTH_CACHE_TIMEOUT ' isn't set, its the 

* time-to-live for the cached lookup right for 

* volumes marked ' MNTK_AUTH_OPAQUE ' . 
*/ 

int mnt authcache ttl; 

/* 

* The proc structure pointer and process ID form a 

* sufficiently unique duple identifying the process 

* hosting this mount point. Set by vfs markdependency ( ) 

* and utilized in new vnode () to avoid reclaiming vnodes 

* with this dependency (radar 5192010) . 
*/ 

pid t mnt dependent pid; 

void *mnt dependent process; 
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Above is a screenshot of mounted file systems including an external hard-drive. 

BSD Processes 

Every Operating System uses user-land processes, it is one of the key element of a working O.S. 

Loaded processes are stored into proc structure which contains a double-list to walk into the list. There is a global 
variable, retrievable from symbols, called kernproc is the list-head of BSD processes list. 

p list field is a double link-list which contains a pointer to both, the previous and the next process. 

Definition of proc structure can be retrieved in xnu/bsd/sys/proc internal.h header file. 

Below is the definition of proc structure under Mac OS X Snow Leopard. 

/* 

* Description of a process. 
* 

* This structure contains the information needed to manage a thread of 

* control, known in UN*X as a process; it has references to substructures 

* containing descriptions of things that the process uses, but may share 

* with related processes. The process structure and the substructures 

* are always addressible except for those marked "(PROC ONLY)" below, 

* which might be addressible only on a processor on which the process 

* is running. 
*/ 

struct proc { 



LIST ENTRY (proc) p list; 


/* 


List of all processes. */ 


pid t 


p p i d ; 


/* 


Process identifier, (static)*/ 


void * 


task; 


/* 


corresponding task (static) */ 


struct 


proc *p pptr; 


/* 


Pointer to parent process. (LL) */ 


pid t 


p_ppid; 




/* process's parent pid number */ 


pid t 


P pgrpid; 


/* 


process group id of the process (LL) */ 


lck mtx t 


p mlock; 


/* 


mutex lock for proc */ 


char 


p stat; 




/* S* process status. (PL)*/ 


char 


p shutdownstate; 






char 


p kdebug; 


/* 


P_KDEBUG eq (CC) */ 


char 


p btrace; 


/* 


P BTRACE eq (CC) */ 



LIST_ENTRY (proc) p_pglist; /* List of processes in pgrp.(PGL) */ 

LIST_ENTRY (proc) p_sibling; /* List of sibling processes. (LL)*/ 
LIST_HEAD(, proc) p_children; /* Pointer to list of children. (LL)*/ 
TAILQ_HEAD( , uthread) p_uthlist; /* List of uthreads (PL) */ 
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LIST_ENTRY (proc) p_hash; /* Hash chain. (LL)*/ 

TAILQ_HEAD( , eventqelt) p_evlist; /* (PL) */ 

lck mtx t p fdmlock; /* proc lock to protect fdesc */ 

/* substructures: */ 

kauth_cred t p ucred; /* Process owner's identity. (PL) */ 

struct filedesc *p fd; /* Ptr to open files structure. (PFDL) */ 

struct pstats *p_stats; /* Accounting/statistics (PL) . */ 

struct plimit *p limit; /* Process limits. (PL) */ 

struct sigacts *p_sigacts; /* Signal actions, state (PL) */ 

int p siglist; /* signals captured back from threads */ 

lck spin t p slock; /* spin lock for itimer /prof il protection */ 

#define p rlimit p limit->pl rlimit 

struct plimit *p olimit; /* old process limits - not inherited by 

child (PL) */ 

unsigned int p flag; /* P * flags, (atomic bit ops) */ 

unsigned int p lflag; /* local flags (PL) */ 

unsigned int p listflag; /* list flags (LL) */ 

unsigned int p ladvflag; /* local adv flags (atomic) */ 

int p refcount; /* number of outstanding users (LL) */ 

int p childrencnt; /* children holding ref on parent (LL) */ 

int p parentref; /* children lookup ref on parent (LL) */ 

pid t p oppid; /* Save parent pid during ptrace. XXX */ 

u int p xstat; /* Exit status for wait; also stop signal. */ 

tifdef _PROC_HAS_SCHEDINFO_ 

/* may need cleanup, not used */ 

u int p estcpu; /* Time averaged value of p cpticks. (used by aio and 
proc_comapre) */ 

fixpt t p pctcpu; /* %cpu for this process during p swtime (used by 

aio)*/ 

u_int p_slptime; /* used by proc_compare */ 
#endif /* _PROC_HAS_SCHEDINFO_ */ 

struct itimerval p realtimer; /* Alarm timer. (PSL) */ 

struct timeval p rtime; /* Real time. (PSL) */ 

struct itimerval p vtimer user; /* Virtual timers. (PSL) */ 

struct itimerval p vtimer prof; /* (PSL) */ 

struct timeval p rlim cpu; /* Remaining rlim cpu value. (PSL) */ 

int p debugger; /* NU 1: can exec set-bit programs if suser */ 

boolean tsigwait; /* indication to suspend (PL) */ 

void *sigwait thread; /* 'thread' holding sigwait(PL) */ 

void *exit thread; /* Which thread is exiting (PL) */ 

int p vforkcnt; /* number of outstanding vforks(PL) */ 

void * p vforkact; /* activation running this vfork proc) (static) */ 

int p_fpdrainwait; /* (PFDL) */ 

pid_t p_contproc; /* last PID to send us a SIGCONT (PL) */ 

/* Following fields are info from SIGCHLD (PL) */ 
pid_t si_pid; /* (PL) */ 
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u_int si_status;/* (PL) */ 
u_int si_code; /* (PL) */ 
uid_t si_uid; /* (PL) */ 

void * vm shm; /* (SYSV SHM Lock) for sysV shared memory */ 

#if CONFIG_DTRACE 

user_addr_t p_dtrace_argv; /* (write once, read only after that) */ 

user addr t p dtrace envp; /* (write once, read only after that) */ 

lck mtx t p dtrace sprlock; /* sun proc lock emulation */ 

int p dtrace probes; /* (PL) are there probes for this proc? */ 

u int p dtrace count; /* (sprlock) number of DTrace tracepoints */ 

struct dtrace_ptss_page* p_dtrace_ptss_pages ; /* (sprlock) list of user 

ptss pages */ 

struct dtrace_ptss_page_entry* p_dtrace_ptss_f ree_list; /* (atomic) 
list of individual ptss entries */ 

struct dtrace_helpers* p_dtrace_helpers ; /* (dtrace_lock) DTrace per- 
proc private */ 

struct dof_ioctl_data*p_dtrace_lazy_dof s ; /* (sprlock) unloaded 
dof helper t's */ 
#endif /* CONFIG_DTRACE */ 

/* XXXXXXXXXXXXX BCOPY'ed on fork XXXXXXXXXXXXXXXX */ 

/* The following fields are all copied upon creation in fork. */ 

#define p_startcopy p_argslen 

u int p argslen; /* Length of process arguments. */ 

int p_argc; /* saved argc for sysctl_procargs ( ) */ 

user_addr_t user_stack; /* where user stack was allocated */ 

struct vnode *p textvp; /* Vnode of executable. */ 

off t p textoff; /* offset in executable vnode */ 

sigset_t p_sigmask; /* DEPRECATED */ 

sigset_t p_sigignore; /* Signals being ignored. (PL) */ 

sigset_t p_sigcatch; /* Signals being caught by user. (PL) */ 

u char p priority; /* (NU) Process priority. */ 

u char p resvO; /* (NU) User-priority based on p cpu and 

p_nice. */ 

char p nice; /* Process "nice" value. (PL) */ 

u char p resvl;/* (NU) User-priority based on p cpu and p nice. */ 

#if CONFIG_MACF 

int p mac enforce;/* MAC policy enforcement control */ 

#endif 

char p_comm[MAXCOMLEN+l] ; 

char p_name [ (2*MAXC0MLEN) +1] ;/* PL */ 

struct pgrp *p_pgrp; /* Pointer to process group. (LL) */ 

int p iopol disk; /* disk I/O policy (PL) */ 

uint32_t p_csflags; /* flags for codesign (PL) */ 

uint32 t p pcaction; /* action for process control on starvation */ 
uint8 t p uuid[16]; /* from LC UUID load command */ 

/* End area that is copied on creation. */ 

/* XXXXXXXXXXXXX End of BCOPY'ed on fork (AIOLOCK) XXXXXXXXXXXXXXXX */ 
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#define p_endcopy p_aio_total_count 

int p aio total count;/* all allocated AIO requests for this 

proc */ 

int p aio active count;/* all unfinished AIO requests for this 

proc */ 

TAILQ_HEAD ( , aio workq entry ) p aio activeq; /* active async 10 
requests */ 

TAILQ HEAD ( , aio workq entry ) p aio doneq; /* completed async 10 

requests */ 

struct klist p_klist; /* knote list (PL ?)*/ 

struct rusage *p ru;/* Exit information. (PL) */ 

thread t p signalholder ; 
thread t p transholder; 

/* DEPRECATE following field */ 

u short p acflag; /* Accounting flags. */ 

struct lctx *p lctx; /* Pointer to login context. */ 

LIST_ENTRY (proc) p_lclist; /* List of processes in lctx. */ 

user_addr_t p_threadstart; /* pthread start fn */ 

user addr t p wqthread; /* pthread workqueue fn */ 

int p pthsize; /* pthread size */ 

user_addr_t p_targconc; /* target concurrency ptr */ 

void * p wqptr; /* workq ptr */ 

int p wqsize; /* allocated size */ 

boolean t p wqiniting; /* semaphore to serialze wq open */ 

lck spin t p wqlock; /* lock to protect work queue */ 

struct timeval p start; /* starting time */ 

void * p rcall; 

int p ractive; 

int p idversion; /* version of process identity */ 

void * p_pthhash; /* pthread waitqueue hash */ 

#if DIAGNOSTIC 

unsigned int p fdlock pc[4]; 

unsigned int p fdunlock pc[4]; 
#if S I GNAL_DEBUG 

unsigned int lockpc[8]; 

unsigned int unlockpc [ 8 ] ; 
#endif /* S I GNAL_DEBUG */ 
#endif /* DIAGNOSTIC */ 

uint 64_t p_dispatchqueue_of f set ; 

} ; 

Pointer to the process group, pgrp structure, allows us to retrieve the username of the person who launched the 
program because this structure contains a pointer to a structure called session with the username. 

Definition of pgrp structure can also be retrieved in xnu/bsd/sys/proc_internal.h header file. 

Below is the definition of pgrp structure under Mac OS X Snow Leopard. 

/* 

* One structure allocated per process group. 
*/ 

struct pgrp { 
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LIST_ENTRY (pgrp) pg_hash; /* Hash chain. (LL) */ 

LIST_HEAD(, proc) pg members; /* Pointer to pgrp members. (PGL) */ 
struct session *pg_session; /* Pointer to session. (LL ) */ 
pid_t pg_id; /* Pgrp id. (static) */ 

int pg_jobc; /* # procs qualifying pgrp for job control (PGL) */ 

int pg membercnt; /* Number of processes in the pgrocess group (PGL) */ 

int pg refcount; /* number of current iterators (LL) */ 

unsigned int pg listflags; /* (LL) */ 

lck mtx t pg mlock; /* mutex lock to protect pgrp */ 

} ; 

Definition of session structure can also be retrieved in xnu/bsd/sys/proc_internal.h header file. 
Below is the definition of session structure under Mac OS X Snow Leopard. 

/* 

* One structure allocated per session. 
*/ 

struct session { 

int s_count; /* Ref cnt; pgrps in session. (LL) */ 

struct proc *s_leader; /* Session leader . (static) */ 

struct vnode *s ttyvp; /* Vnode of controlling terminal. (SL) */ 

int s ttyvid; /* Vnode id of the controlling terminal (SL) */ 

struct tty *s_ttyp; /* Controlling terminal. (SL + ttyvp != NULL) */ 

pid_t s_ttypgrpid; /* tty's pgrp id */ 

pid_t s_sid; /* Session ID (static) */ 

char s_login [MAXLOGNAME] ; /* Setlogin() name.(SL) */ 

int s flags; /* Session flags (s mlock) */ 

LIST_ENTRY (session) s_hash; /* Hash chain. (LL) */ 

lck mtx t s mlock; /* mutex lock to protect session */ 

int s listflags; 

}; 

s login field contains the name of the username in ASCII. 
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Above is a sample screenshot of a processes list, mainly executed by nfinfi user around March 2009. 

Kernel Extensions (Also Known As Drivers, Kernel Modules) 

Kernel-Mode, the God Mode, is the most privileged level of an Operating System. Loaded Kernel Extensions can be 
retrieved by a global list-head variable, accessible from symbols, called kmod defined by kmod inf o structure. 

next field points to the next kernel extension. 

Definition of session structure can also be retrieved in xnu/osfmk/mach/kmod.h h header file. 

Below is the definition of kmod inf o structure under Mac OS X Snow Leopard. 

typedef struct kmod info { 
struct kmod info *next; 

int info version; // version of this structure 
int id; 

char name [KMOD_MAX_NAME] ; 

char version [KMOD_MAX_NAME] ; 

int ref erence_count; // # refs to this 

kmod reference t *reference list; // who this refs 

vm_address_t address; // starting address 

vm_size_t size; // total size 

vm size t hdr size; // unwired hdr size 

kmod_start_f unc_t *start; 

kmod_stop_f unc_t *stop; 
} kmod info t; 

As you can see here we have both kernel extensions image base start and size. Since we have a functional kernel 
address space, we can easily extract the image of the kernel extension. 
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ref address siler code r.ize nine (uepninn > 

i Hf, 0x7H6 10000 0x00003000 0x00002000 con. a pple .dr i ver . i Tun KitPknnEDr iuEr CI -Hi 
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£2 0x00111)4000 0x00016000 0x000 16.000 c on. apple, in kit. [OSCK i fin It iracrl i.iflnrannnrinDEU ice C 2. 0.0 5 
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Above is a screenshot of a loaded kext lists. 

System Calls 

The very first step is to localize the syscall table, called sysent, which is a non accessible variable from symbols. 
So using a magic trick we can retrieve its offset through nsysent exported variable which contains the number of 
syscall entries. 

Under Mac OS X Leopard (10.5), as explained by Jesse D'Aguanno at BH US 2008, we have to add 0x20 to nsysent 
offset to obtain the offset of sysent table. 

Under Mac OS X Snow Leopard (10.6), we have to proceed with a different methodology. First, we have to retrieve 
the value of nsysent variable, then we multiply its value with the size of sysent structure, and then we 
subtract this value to nsysent offset to obtain the offset of sysent table. 

Definition of sysent structure can also be retrieved in xnu/bsd/sys/sysent.h header file. 

Below is the definition of sysent structure under Mac OS X Snow Leopard. 

struct sysent { /* system call table */ 

intl6 t sy narg; /* number of args */ 
int8 t sy resv; /* reserved */ 
int8_t sy_flags; /* flags */ 

sy call t *sy call; /* implementing function */ 

sy munge t *sy arg munge32; /* system call arguments munger for 32-bit 
process */ 
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sy munge t *sy arg_munge64 ; /* system call arguments munger for 64-bit 
process */ 

int32_t sy_return_type; /* system call return types */ 

uintl6 t sy arg bytes; /* Total size of arguments in bytes for 

* 32-bit system calls 

*/ 

}; 
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0XB01E425C 


_open 


[OKI 


6 


0X0036C75E 


_tlose 


[OK] 


7 


0x00375 EB2 


_uait4 


[OK] 


8 


0X003907F5 


_nosys 


[OK] 


V 


0X001E4932 


_link 


[OKI 


10 


0xB01Ebb4U 


_un link 


[OKI 


ii 


BxB03907F5 


_nosys 


[OK] 


12 


0X001E3925 


_c hd ii< 


[OKI 


13 


0X001E3723 


_fcJidir 


[OKI 


14 


0x001 £43 E8 


_mknod 


[OKI 


ib 


0X001E6FD1 


_chmod 


[OK] 


if, 


0X001E74B7 


_chown 


[OK] 


17 


0X0037AE2D 


_o break 


[OK] 


1ft 


0X00JE335E 


_ge t f s s t a t 


[OKI 


19 


0X003907F5 


jiosys 


[OKI 


2 k* 


BxB037DE3O 


_getiiid 


[OKI 


21 


0X003907F5 


_nosys 


[OKI 


22 


0X003907FE 


jiosys 


[OKI 


2 3 


0X0037F92E 


_setuid 


(OKI 


24 


0X0037DF0D 


jretuid 


[OKI 


2 b. 


0xB037DF21 


_geteuid 


[OKI 


26 


0x0038082:3 


_pti"Ace 


[OKI 


2 7 


0X003B0A4E 




[OKI 


2ft 


0X003E17R1 


_sendnsg 


[OKI 


29 


0X003B07D8 


jecuf rom 


(OK] 


30 


0xB03flFE73 


_accept 


[OKI 


31 


0X003B0EC4 


_get peer name 


[OKI 


32 


0x00 3 BBC DA 


_ge t s d c kn ante 


[OK] 


33 


0x001 ESD2D 


_access 


[OKI 


2 4 


0X00LE6BD7 


_cM lags 


(OK] 


3S 


axamtbc«B 


_f cM lags 


[OKI 


3 b 


0X001E22B5 


sync 


[OK] 


3 7 


0x003836112 


_kill 


[OKI 


3ft 


0X0039B7F5 


_no5ys 


[OK] 


39 


0X0037DE42 


_getppid 


[OKI 


48 


Ox 0B 3 ¥ 07 Kb 


_nosys 


[OK] 


41 


0xB036E487 


_dup 


[OKI 


42 


0x00394912 


_pi.pL- 


[OK] 


43 


0X0037DFC7 


_3e.te.gid 


[OKI 


44 


0x0038 FBftb" 


_pvof il 


[OKI 


4b 


Ox 003V 07 Kb 


_nosys 


[OKI 


46 


BxB0382075 


_s inaction 


[OKI 


4? 


0X0037DFD3 


_getgid 


[OKI 


4ft 


0X003S29F2 


-sigprocnask 


[OK] 


49 


0X0037EE44 


_get login 


[OKI 


50 


0X0037E5E5 


_setlcgin 


[OK] 


bl 


BxB03b82A7 


_aect 


[OKI 


52 


0x00381125 


_3 impending 


[OKI 


S3 


0X00381E39 


_s iga It stack 


[OK] 


5^4 


0x0039 160C 


_ioctl 


[OKI 


bb 


0X0038G732 




[OKI 


bb 


BxB01E9F24 


jeuoke 


[OKI 


57 


0X001E4E09 


_3 yn 1 i n Is 


[OK] 


bft 


0X001E6923 


_i'_adliink 


[OKI 



Above is a picture showing a list of syscalls from sysent table. 
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Information Extraction (Also Know As Analysis) | NFI 



Integrity checks are done if entry value does not give the function name value. It does not sound complicated but 
this trick was enough to detect Jesse D'Aguanno Rootkit presented at HAR2009. 



Thanks 
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• Dino Dai Zovi 

• Vincenzo lozzo, Zynamics 

• Neil Archibald (nemo) 

• Ruud van Baar, NFI 
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Thanks | NFI 



